How US$1000 (or nothing) buys malware access to your network

In a paper published by researchers at the University of Maryland, USA, it has been shown that malware creators and propagators can ensure their payloads can penetrate some (if not a majority) of cyber-security systems with ease — and little if any cost.

Software applications can be cryptographically signed by a trusted certificate authority (CA) — and this ensures that they are safe to pass through antivirus and antimalware software, and therefore pass into a protected network.

However, if the digital certificate is bogus, or has expired, many security systems will not reject the software despite simple tests being available publically.

The researchers, Doowon Kim, BumJun Kwon and Tudor Dumitras used 189 test cases of malware that had valid digital signatures. These had been generated using 111 compromised certificates, previously issued by recognized CAs, and which had been used to sign software in the normal manner.

The researchers found that:

“…simply copying an Authenticode signature from a legitimate sample to an unsigned malware sample may help the malware bypass AV detection.”

The trio found that 30+ anti-virus products failed to check the certificate’s validity, and allowed malicious code to run on targeted systems.

A routine check on the certificates’ expiration or revocation status would have stopped 27 of the test examples, but many security software solutions did not undertake this check.

“We believe that this [inability to detect malware by security systems] is due to the fact that AVs take digital signatures into account when filter[ing] and prioritiz[ing] the list of files to scan, in order to reduce the overhead imposed on the user’s host.”

In short, in order to work more quickly, simple online queries which would have significantly improved overall security were not undertaken. Rather than possibly seem to users and/or network administrators as a bottleneck that slows down network traffic, systems are being put at risk.

More alarmingly, the researchers also checked 136 malware applications that had been signed using malformed digital signatures, and got similar results:

“[…]the incorrect implementation of Authenticode signature checks in many AVs gives malware authors the opportunity to evade detection with a simple and inexpensive method.”

A further experiment took two expired certificates: one which had been used to protect legitimate software and one recognized as having been used previously on in-the-wild malware. Each certificate was then applied to five pieces of malware, creating ten test applications.

While most antivirus installations were able to reject the malware when unsigned, some well-known names’ products considered as many as eight out of the ten badly-signed pieces of malware as legitimate.

A list of the compromised code-signing certificates can be found here.

The researchers presented their findings at the Computer and Communications Security (CCS) conference in Dallas, USA on Wednesday.

The research paper, “Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI” can be downloaded here.

A study conducted by the Cyber Security Research Institute last week revealed that stolen digital code-signing certificates are readily available for purchase on the so-called dark web for around the US$1000 mark.

And it appears that even this modest (given the potential earnings from successful malware deployment) outlay is not entirely necessary to bypass security in an alarming number of cases.